Malware Analysis Report

2024-10-19 09:08

Sample ID 240911-yr991azerr
Target b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117
SHA256 b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117

Threat Level: Known bad

The file b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access spyware

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 20:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 20:02

Reported

2024-09-11 20:05

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\751c886948.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\751c886948.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1028 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1028 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2928 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe
PID 2928 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe
PID 2928 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe
PID 2928 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe
PID 2928 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe
PID 2928 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe
PID 2928 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 4568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 3352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 908 wrote to memory of 3352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 2536 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 908 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 908 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2536 wrote to memory of 4860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe

"C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe

"C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\751c886948.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1840 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90d3de47-7a1f-4d30-937d-676bf3fed4e3} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe546d46f8,0x7ffe546d4708,0x7ffe546d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe546d46f8,0x7ffe546d4708,0x7ffe546d4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2431a85c-fa86-411a-b30c-ecd3f285814a} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3252 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0f4b0d-08d8-401c-afec-637c6d186d54} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3544 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c93eba7-4e7e-41b5-9333-aa1c600f8003} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -childID 3 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c999a951-e8ad-4de1-aaef-eb755c0ab223} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4608 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e28ac3c2-b488-4674-8705-e2a87ec458dc} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,2552745120519263686,6333956797771475480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,2552745120519263686,6333956797771475480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 4 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4604738-a7c2-436b-95e1-a6e4bb5b11df} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 5 -isForBrowser -prefsHandle 6088 -prefMapHandle 6092 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ff3a0cc-6a8b-42f3-a618-8a8b50881440} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6364 -childID 6 -isForBrowser -prefsHandle 6284 -prefMapHandle 6288 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcce8d1e-34fc-495a-ab2f-27ac60126e73} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,9592864110814555347,315275473301748606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
N/A 127.0.0.1:59279 tcp
N/A 127.0.0.1:59290 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp

Files

memory/1028-0-0x0000000000770000-0x0000000000C1C000-memory.dmp

memory/1028-1-0x0000000076F14000-0x0000000076F16000-memory.dmp

memory/1028-2-0x0000000000771000-0x000000000079F000-memory.dmp

memory/1028-3-0x0000000000770000-0x0000000000C1C000-memory.dmp

memory/1028-5-0x0000000000770000-0x0000000000C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 28fc680cd7ce04804903263844ab3fec
SHA1 74dbf07bf5be88466023076f1b5a8192e5fb7e65
SHA256 b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117
SHA512 6c7130922b5c21ffaa99b855ea6416f649b3dd91313c6d76b4273eb74281b9cb18ca806a68c34f9ed908c846983576a27b8a4d811277017e3fe4dc78d40696ba

memory/2928-17-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/1028-16-0x0000000000770000-0x0000000000C1C000-memory.dmp

memory/2928-19-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-20-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-21-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-22-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-23-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-24-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-26-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-27-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/3924-29-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/3924-30-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/3924-32-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-33-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-34-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-35-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-36-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-37-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2928-39-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2844-40-0x0000000000300000-0x00000000007AC000-memory.dmp

memory/2844-41-0x0000000000300000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\b1dccd851b.exe

MD5 0f0ef1482985e6cf9403f782e6ba6d10
SHA1 d7b44e16fc1eb2845b3db09a4fec9ba66dfcebe4
SHA256 cc65a55c66501ede8db7f899410180caa449102982130e4ed48a45909156e3c1
SHA512 6b484bcbba919e8c2dfc86f703196adbe065c04b93d74d47cc63f7df2e1224a62c854b5b5c03b235c48f4db3a9449d59c9a6dbed832f2e0c0f0fccf739b0a794

memory/1772-57-0x0000000000610000-0x0000000000C86000-memory.dmp

memory/1772-71-0x0000000000610000-0x0000000000C86000-memory.dmp

memory/3228-75-0x00000000003B0000-0x0000000000A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/908-83-0x00000000024A0000-0x00000000024D6000-memory.dmp

memory/3228-85-0x00000000003B0000-0x0000000000A26000-memory.dmp

memory/908-86-0x0000000004F40000-0x0000000005568000-memory.dmp

memory/908-87-0x0000000004EE0000-0x0000000004F02000-memory.dmp

memory/908-88-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/908-89-0x0000000005750000-0x00000000057B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfut0bny.5la.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/908-95-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/908-100-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/908-101-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/908-104-0x00000000062C0000-0x00000000062DA000-memory.dmp

memory/908-103-0x0000000006E80000-0x0000000006F16000-memory.dmp

memory/908-105-0x0000000006330000-0x0000000006352000-memory.dmp

memory/908-106-0x00000000074D0000-0x0000000007A74000-memory.dmp

memory/2928-110-0x0000000000300000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4dd2754d1bea40445984d65abee82b21
SHA1 4b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256 183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA512 92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\3d5307c8-1be1-476e-9b6f-64ab53724da6

MD5 4cbca958ff90e996b92540c128917329
SHA1 8baf0bbaac3841c3db356ea457f1ffb1e8fad113
SHA256 582ed0a6e3ed7f44d15d1a2a686a9db7470faad3c344497353726bbd3c0805e5
SHA512 39f28bf6c69c334f3d7c8697468e0ab0472752ac60b764bb9701bd7bad299be70a82e7d9de0d52496e3c057893927193e28eae357de687751cf561396d6a6471

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\41fe9a31-6f70-41d1-81a6-a453e48ad279

MD5 0152c391bd1aef6d9bb2db697a66cfff
SHA1 8bf756deb4c175304259ad3ddba9bbe00ac45412
SHA256 a765cbbb2ed7a2aaa3d49a0de10e41e4a03db54c773526f9377a841a1a4b68bc
SHA512 b07d8336d90248894d9762dc8227fe2faf39b584b9989fa7783e99c8a54f5ef1d231b2ab58ea7e71a5cd5b4c0910e7d8cfb7a4ebab030c4a3b5aaefee66637b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\1bafa25c-6f07-4a03-a37d-08313f3691a7

MD5 48ef8f955796cde1a9603f3462d029f3
SHA1 b9e8a422ed152cfa13679ba28f79b9fece7a5ec7
SHA256 92b200ae6b090f6ab7af2d735c6a3dc79e354191adcd003ee79061e2c9ec0cae
SHA512 47fcada2db04e885e520e06039063de8c01a8df44ff8b089bea1d03d8c156483b0d86158af555f26152099d4f8ef875fbd44599248defedd33ff7cce2724ef51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 096adbdaf739051c76c50a4f84bfece6
SHA1 90d328bd9b18c37e6a125999711a7e0fe63b5f86
SHA256 facc3d2fd0cc251be1140ec86e85777251239edc4715a2219d37833614ee272f
SHA512 70f8735a9afacbe9998b20ebed32d9dcadb12ddafb5c5aadc5d85abb2870ef31b4b32cf372449a0a7caeecb2d2180393a515d4f499f6227d9bb4195d9e98d938

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 955fbfde8413274c2b9af7b2b4eb912c
SHA1 9a70fd50905ecc747b41f7a5db4f3779b9a63bdc
SHA256 310847471446577b76ec5af05b36112b2c2bed4ff773d470f5d6a0b95e1ce3fb
SHA512 af4f22f737a978943580dfa41df2756a305b2c5d23b3efd1ffb2e3428172894e669c64a1f721b5a2b5f42943435364bfcd9bb26327f71125701caaacbd498ffa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ecf7ca53c80b5245e35839009d12f866
SHA1 a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256 882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512 706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

\??\pipe\LOCAL\crashpad_1048_QQKANMETRFURHMKR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 c9d8335d3d7a051d22f992192ffadfbd
SHA1 f20c4225ced3692ef5cf21c4e2b3890ce85f656c
SHA256 c9a1883251106158e3ad1cfbb09941f86c45b0bb0aac2f4e17b6ebc496de55b9
SHA512 0a8cae921e3a9222f7f97c2c9b17d267c8ee2996ec4f9a59bb6b9d28993515322d4c99c2b62f218d363510440a68a3cbea6215965e305b09187f8ce4d16d2c93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 28506df1e6cd0caab9b559e86a49a143
SHA1 16488967702937cc91247db8c6b2ff3a5459f3bd
SHA256 481a3b84d85391694dfa863b6f7a0167719d3d4e9cf39a1005637efdeaa386cc
SHA512 91d2e9e95ffa526cf1d952bcf4cd8531a340f48299bc73d2fc6b8c33486ae22390b67c5af3b17cde24b12a5a45cf189694c6ff26d9749e4e7c03d022b6b42d14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f44eec241e1f16d98f1ba0a0ca9e1a06
SHA1 a52e74b4d88b10a85175d6fd7ffbc10a8dd3b388
SHA256 4396aba024431369d31559f0666f41f6b5d0fda80bb92a768cf424293e7f0833
SHA512 20e2ee1f70e74714c6fb4c31cf393cedff45ff2d0e0c2c8e1ac938a780ebdba5cb636de6f7c14f7bf20eb654f79c0ffa00a552c907307d85f6752cfd6469b3e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 2360b42a279be5e61291c16c7931e918
SHA1 bdca6d42221bb8e2a1587901b95d30f6ca20ab19
SHA256 9f91a2ee21add28e2310e3d57a6e6d9eced331b5e7417f8ca898870b1cebef43
SHA512 6a58642057218ffb62ad0ef906aaaa67163648ef37f89787d6305c6c752559a32d176220123e3b1aa7f8ad7639c04535ad5deae398b4050d4e24a6217c33224a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5bef36aee869e915d57334ded9610ad0
SHA1 1636c31672ef76ca2e2d9f86f7bd121613d86d9c
SHA256 18295cf05b35de3e48ca83356cb26f0ca38140b35cbeed0ceab6ddac8e189eac
SHA512 56500ad410dac891d61cc889f9b59ce7bb3db19d34d26fb87c26239b6d6ca3bb2046761870038009554930a1ad5af41de5a2698ed892dbb97f8ae59f8ff6121b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json.tmp

MD5 7173b9b94515f90e0122599768de9af3
SHA1 9a926f25d25673f0368b9be0d20cb9fcfab18ac9
SHA256 beac6cd8a4130a0782c2abeb29e0cec3626b32c5abbbce4cf9215d0dcbe76ec8
SHA512 9f31e2785a053b94ea99a239e49b45010b018143213857fc3eb8db38779a30f69b871ff976753d349ba5fd52ce938e3e89587cecf5c7fecaa9846504c4a61cf6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7acdb58ef05788d5696b0e9920c745d8
SHA1 4f2f17bc15a2626af78b147993b5f24f2222cb0f
SHA256 c375cc69d9bbd2057ec39625a34b71fe740dcf64afcb91e023026de4c80fbada
SHA512 ff675e439c60f3bcab925288d878c2e51e27c07b83260e72ef54369daf3a16c7540c8d9075d55fcef1506b17151161aa36299b4c9ec84c4c2ee21781aebde1a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 4bd94104912fbbf4b6c7dfffe7c36f35
SHA1 413acf63951fef4fac7b6409c95e043e77ffc148
SHA256 f33d4e3e3fb050ae914a9780c0cefcf24d67df56b1883c832a6a3af61129deb8
SHA512 90d30a1f53ca019f1709fd3fc9c128e2d70092cee19ab75fa40e0b85ad8d7b30f5b0eb7d6113fa3133128fcd3015fc8bbe3d29537e4fea8fe807a567bcc90781

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/2928-622-0x0000000000300000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ac8704c99005df3b68a37146817e81ae
SHA1 b6525da7ad5fc65c871a4d4699c075b5530a3b84
SHA256 80aee9236a465e3d29dcb67bdbb08bd3608cf2d28febb5298ea69c0eb028816d
SHA512 7281c58ef912f15a94c98f2b2615582bca67d1326821321efa33fae835e1e121e42b62222475f961e8f9bed8a7abc73cc257fd9e864bb2501c148cb5968cb656

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8aec82ebb636cae12d61497b489216dd
SHA1 71050435636124983d184145720eb43d59a7ab25
SHA256 b1384afb6eef8ac4cdf3473719f0517e8161756ac1b2987f092477983aacf909
SHA512 7af65df7bf2a48f0e1fb2b7fc80720bc58d876948ff3c8a99113c10ac00378fb52be3ec884bef0e3934419de1c2c31c97dcebde629220637eab7763f697f8e9e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

MD5 db2600aa23a2acbb6dc66f33121bd3ac
SHA1 ab4c9f7d373bbbe05b6c259c26dce85825f95468
SHA256 e4246d0e0314921024de8d4e77b8664c9db4e98f46a9b7f5b6ed7b9cec4cd0aa
SHA512 7c8ed22f76de85e437c803d7e386635cc09fcb77e556f91ef081f55befc724b83087d44526d09584460bc7230781be9fc3b0d6351042db84e6251b3190c4eed4

memory/2928-656-0x0000000000300000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 426cccac498958126e8025d479fcf04b
SHA1 9ba809a104bc832f6acfed82b906d992b5f223ab
SHA256 049282d314f0ccfc8f24d48fb223db852d1b320e5f4642911fdb63c6f49a42aa
SHA512 d6b593ddc7982bf8d7db44eb9857d35ed5b362ac158f8af0e144ece26316447ac7137c4c289fa91fcce8102e00a73538a8d90ad3cb9dae70ee3e98df7f166009

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 a59f49ff2bab9c8009234db07d3b0a01
SHA1 b8016a839818be751b3006f31ca2ecbcfb18117e
SHA256 5f274926620e89182e855af42e01dc0d190a2b66cb42a3f5ecbcf3bd26a60461
SHA512 9238352349b4aa22fc3f4c7e0317ca8ee9825fab9038de95411ddeeb16cd23d6438ce64f813bf6dc7d4b042542e375bb15536831f254f38846edffafa4556696

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 fafb42de64abffc79a771143cce89a23
SHA1 ed53f0b20204c6ed6a620ec87a6ee4f41ed49bcc
SHA256 9444e8d13c9051fbe3a7c2614eaa8166794be1309fd963339c5d6a76bb21422a
SHA512 0f5fceba23c6b4f6ebd518a6976a766344f5689a321fb647a939fa7fed9e4528960d63e63f93ed53459b2ab1ac5f913467e933d8c3d81e0b7b5c59bb9f2aef7c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 a7862d8a18cc4309315ec30d448ac0de
SHA1 f5db73896dfc68117cc6304f8e8d794492965f54
SHA256 7c4526ae749c933adfb761004fa55700c3cdd5560243db5da830016788a14870
SHA512 892bfd252ac427961079cc86f217e0d46bb3b90647d9b61efb9457087563853f65802f38ad2185fe5f97bcf6ddf16ae065a30008cd7053ea23dc4c7405c4f09a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0eb46896b6d2e593ec98097c2cb1c1ae
SHA1 e916a2afc61426906b716cfdda75ee2fc25b4dc0
SHA256 10505731be129118ffbb53a5ac863820ab570083119701afa6385e8dec6dab0a
SHA512 f7c5345cdeb8a073d8d5cabb6918e5b9fe4410b3947fbc1c17b6898b9d9cf374c10334e3e50593f3d597cd87237bacc9662f6bb4c7f68698f9916508365a5793

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b814b92fed102b9ec510a56114d666a4
SHA1 baac462ada8a6cb34a6760e35a7e2c0d8e833f80
SHA256 f819950bd20c957c3ea704e2c37a650bf83d71f470f236a53b3aa6f81e898452
SHA512 37b0197326ba1196e05540ef18fe79e3d8090773721df1208c0cc526498fd3b20245d6927c4a9662d1797e189179bea4aea790bc6819f5d413f072a8a8a56433

memory/2928-867-0x0000000000300000-0x00000000007AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 95cc9b1f787d742cb6a9f474886e4828
SHA1 b6ccab407a61582ba787289ed3f05e323d892491
SHA256 e6043a9b77dabd1165dee7a02a3759014b6302537547119958d8f6bc52ee42b0
SHA512 59281c952515e36b5e671d2e4791d92a1620293ca209698a3b3bc3c1951ea8a76c4fbf8b383263cd12535381775c8b0f96067d616e963ce75b8ae73d124f6515

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 956a959ac2ffd51a0cb1728d67997a24
SHA1 bad83cae8e6e973d41b53c82ad984bdc45e02c70
SHA256 01818e8385f2c36420bd69102588c5788588e639484eccd9b23ae8d25fef5f71
SHA512 fe161dd4cd55e8685e61286e842d4c4ed073f8ddb47436f44d5c494a5903023ee59f39adfb77e182a3ef34ede36d9cfbca57152c4efceb7897f8fcf78b0b2855

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

MD5 6088041a1c6ff2d2b55d156aebcea428
SHA1 1b6bb2b874d13776e73f646ebfae9cca598bf79f
SHA256 b560831c5390202fbe4dd5d82477a391171f6d803504139061cc6b74907d357e
SHA512 522fd971f239df847cc516a717c3b33401f0ba0bef3f3aa4410e8d04296851d87c09c9517ad6ac3b25840650be0f95a1eb76652afde81ced22f89377b256e92f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2928-1309-0x0000000000300000-0x00000000007AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 20:02

Reported

2024-09-11 20:04

Platform

win11-20240802-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\a9e6e6f344.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\a9e6e6f344.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2172 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2172 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe
PID 3376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe
PID 3376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe
PID 3376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe
PID 3376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe
PID 3376 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe
PID 3376 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2228 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2228 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2228 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1380 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1792 wrote to memory of 3276 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe

"C:\Users\Admin\AppData\Local\Temp\b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe

"C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\a9e6e6f344.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1520 -prefMapHandle 1700 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c11553f-0637-41b4-9a41-d0d5ccd16501} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {218d4882-52c7-41e3-aac7-34b55b89e892} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3240 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8033b0b0-cd8a-43c8-8aa2-c1eebaf488a8} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 2 -isForBrowser -prefsHandle 2976 -prefMapHandle 2768 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4474f73f-59c8-411c-9260-8abd2fbaab00} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4440 -childID 3 -isForBrowser -prefsHandle 2976 -prefMapHandle 2768 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ca96c45-91f8-445e-a0db-aa676201f937} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5164 -prefMapHandle 5136 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ab57904-ddab-4d23-b59b-dbf14079c64a} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 4 -isForBrowser -prefsHandle 5848 -prefMapHandle 5808 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {827290b3-1ca5-45c9-bf58-48e3a8d696bb} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5952 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e39f639c-874c-438c-a4a8-78a08d710932} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6152 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d28e4f19-67f9-4879-a14a-a0fdbb5e9320} 1792 "\\.\pipe\gecko-crash-server-pipe.1792" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.204.78:443 youtube-ui.l.google.com tcp
GB 216.58.204.78:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.204.78:443 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
N/A 127.0.0.1:49851 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
N/A 127.0.0.1:49860 tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
RU 185.215.113.103:80 185.215.113.103 tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/2172-0-0x0000000000950000-0x0000000000DFC000-memory.dmp

memory/2172-1-0x0000000077DF6000-0x0000000077DF8000-memory.dmp

memory/2172-2-0x0000000000951000-0x000000000097F000-memory.dmp

memory/2172-3-0x0000000000950000-0x0000000000DFC000-memory.dmp

memory/2172-4-0x0000000000950000-0x0000000000DFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 28fc680cd7ce04804903263844ab3fec
SHA1 74dbf07bf5be88466023076f1b5a8192e5fb7e65
SHA256 b653aa8a63c1a7b1545618939c165fcf6a996e8fc45e1a6442f77e37b672a117
SHA512 6c7130922b5c21ffaa99b855ea6416f649b3dd91313c6d76b4273eb74281b9cb18ca806a68c34f9ed908c846983576a27b8a4d811277017e3fe4dc78d40696ba

memory/3376-16-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2172-18-0x0000000000950000-0x0000000000DFC000-memory.dmp

memory/3376-19-0x0000000000401000-0x000000000042F000-memory.dmp

memory/3376-20-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/3376-21-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/3376-22-0x0000000000400000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\2c6f07f57d.exe

MD5 0f0ef1482985e6cf9403f782e6ba6d10
SHA1 d7b44e16fc1eb2845b3db09a4fec9ba66dfcebe4
SHA256 cc65a55c66501ede8db7f899410180caa449102982130e4ed48a45909156e3c1
SHA512 6b484bcbba919e8c2dfc86f703196adbe065c04b93d74d47cc63f7df2e1224a62c854b5b5c03b235c48f4db3a9449d59c9a6dbed832f2e0c0f0fccf739b0a794

memory/2584-38-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/2584-47-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/2584-48-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/3376-49-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-57-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/3376-59-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/1340-58-0x0000000000CD0000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2228-67-0x0000000002260000-0x0000000002296000-memory.dmp

memory/2228-68-0x0000000004D90000-0x00000000053BA000-memory.dmp

memory/2228-69-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/2228-70-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/2228-71-0x0000000005530000-0x0000000005596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0g3qqzum.odv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2228-80-0x00000000055A0000-0x00000000058F7000-memory.dmp

memory/2228-81-0x0000000005A90000-0x0000000005AAE000-memory.dmp

memory/2228-82-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/2228-84-0x0000000006B60000-0x0000000006BF6000-memory.dmp

memory/2228-85-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

memory/2228-86-0x0000000006050000-0x0000000006072000-memory.dmp

memory/2228-87-0x00000000071B0000-0x0000000007756000-memory.dmp

memory/3376-91-0x0000000000400000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 b96949003f65386b6e25962aa7f9954b
SHA1 593da29ca8dad2be0945b0db07df56106e9c8494
SHA256 1205e4174ffa96a2ad64f08895eeb6b150971d5cabe1b1bbd8e2786166198a43
SHA512 df2a3d3485190c19856246121a67dc1b52def16a5563d57db88a5af657c3cb1728ec163c8cdd1322079970c9aa06cc1a5d442c7720806b91e5726b5267d8fc31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 d4ca65c262e39767c9ca08d488556b60
SHA1 a6824401546038eb7ea44c0133783c051ccece8a
SHA256 55bcc1af94c23eff45dd1be0b5e6b426ccf21878de1b8495a8de9808f6287ffa
SHA512 1eaa6f6d9f31ec466327e9246ed0f1292000a52af23b6d73406d89b56ddaa4fa9f8af06d6c55db53d20c4b3247415c60ee1ca2a9d3269ffeb8f337cf0bef27cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5b8bc7e1-1a88-4730-9aa1-189ac8ff97e6

MD5 df4b21aec8b417e41a160a36d1c57938
SHA1 45c3ef1b8b96558aff9fab3e0a135573431be1c7
SHA256 b0054e05de686b789be23362ca6a4ff94cd3671f26299d2475a99f0473fd0be4
SHA512 eb60614812e38f54c5e068191380ae4dd6694fdb5fd18d3bcaa28ed19bf139292005a3738b7a6181a7c5543ad565764b6209663b925f7a97c6c12b4fdf79c4e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\c55f6f82-2d6d-4f90-8503-5620fef73df1

MD5 6fb3614335250b7e76b582443c4654da
SHA1 411a7f0883310055b75f72e97ae5934781a7cba2
SHA256 b298e932dfc3c4385feb266fc5f8935c607613ed5ca2a5b8e8172c79a4a47fde
SHA512 6491a13d7b9d5701f13f73a0ea0521fa075f7223b74dc4e3330c71e56696ecabc3c9ed22cb33aac2a57b9c39f00802ca71fecbac0f152a546624796c8bf88b44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 6ee0d9d4440e4443eb552a38e34052e1
SHA1 1a084ac0d876c468de32311debfab5be5507675c
SHA256 46afd0f88ac02652ee7419bc1fb84760e5966171fccadb9affb41a242e438b01
SHA512 086579e604f1edb472f14ee6f1311d66b07e9afae090ec8ab0a2548a197bb02d60ba36ce533ce1602466b9c6afa93f40ee8a146f37c97a83340099cc82736a9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 2ba9d063661e9d64d4c329c52973f913
SHA1 8e94e50e3a0f00c245d291c57abc017ccc39e140
SHA256 6653a0bb0dbd5e9ea6e25d2c611307959f20e93a8845abaf8a1e48bfff25c16b
SHA512 c94866c66e4f94dba2c571777582667c8ca459f5837f46818d7ceaf3122fa6c0ae84d618e8d7731328b39e0d83b4405c640691663b4e3e452ec508afa7476192

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5144c841-7bc1-4123-a1ea-530f504eacdc

MD5 985d28001ac9069ab5eb632dec545f8b
SHA1 7bbf7089fb6c1788c6ced675889ecb097723d3b6
SHA256 cb29eba31fa785e1e3c9252e1435e908fa9a230e0a10e5f3f9941fa66e2bd447
SHA512 5b66d5a48c45339ee85065f257927ef130623096a57fa728486886fc5e0a6ebee808adfc0a80fdd2101cf78b238908810a21b5baa645dd9938a400115f0b6b25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 eaa759d3555d0e0f8cabcdde34195ea6
SHA1 af1d467d742243043936dd94a9e06249b7d5a338
SHA256 974e962fe49ebef86d960c9b5b96ac6987de433584e8c147887ca6dac3539b27
SHA512 ddf09d5933239ce2a5a32d5d17c459010b74a3b48eb164919fe1c4841bd66b05866e7bf162ad77b888d45cde210735ee12bab9e09aa6457ca8e6ac59f6ce5ee3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 a4829227b4da98b1e900cfd785d5b73f
SHA1 8506052a8bd9f67ddbe401302c8a77c92a2d77c6
SHA256 70411fe15ee64b22bba18bf7638cc837e2087f02ef39ef3d57d40b331317c35d
SHA512 1af1a59149290e8145cae15effac56af06427e0133a5ed62bf5094da4641100eccc6c5672674f70bdf1f6ef0eb499022b9b4d6af803793003839fe943873d19e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 14c5d26a8db3f2d4fbd587b045aeaa97
SHA1 8a879bfc592b2c783820f9e99219666b08abe9ef
SHA256 c5859618adc5de7166948928041117d3976f7479b910349c53c8fbf5fad6835f
SHA512 3564d466467ed36267e0e5925dac0ce6a852e2d4ad12264ec150e9f4c2475a6f546b74eb9c0598c058b33a280d9f27cd607b85901763ab7080426fd781a74896

memory/2584-460-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/2584-483-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-491-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-499-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-512-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-513-0x0000000000CD0000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 71ddbd674a4d9b91d70c6cde7cf6bbe7
SHA1 af1735f3c72b4f7da1e939ce9fff83534e88f27e
SHA256 2b56d0bab27cfdf417ecef9830e833a4201ee09a98149f60f84107131b4f36e6
SHA512 b17bf522a9c14d838a4cbd5a97ee70f98c898b9bd618652f6e80df8fae8d65e2bfe71fef60fb17a7dd9c884dcfde763e8684d458bc4cbc11706288f0eb46391b

memory/3376-520-0x0000000000400000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 043c930474049f4b73ccb58a6cdced75
SHA1 bff5ea0f1e3ed124d8c773abbaaf02122129d9da
SHA256 b03978370627c72848cffc21f69bd9dc966870daae431e305664a613ac07a646
SHA512 de75a5b3e9d76c52a1c08a963411b340feebe250c6a19a1ab64ca194dab76de32bb4b46d177bd8cb98d85c3a28795d64fb74a1d01268da138112a074351c448a

memory/5264-541-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/5264-544-0x0000000000400000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 1025cf4d28410cc741751dfd3f8f17ba
SHA1 182fa4e9efbb73ab6956ea6ce00db4ca06a977d1
SHA256 84fcd3dae6e1ed2a74c7402085ad1f019f2ff53e8cc5d84f72b92fdc173f4ea2
SHA512 cebb8fc0b2b7bd3a999d872c6744741fe33721747178e0cbe48363ec7e80ca3d71ffbd2c2cf519f86a2b16dc7968292d01de80e0c192af1f5d7ceb43533352ee

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 d3a2a3b79232ebd9697e6a7fead8cc9e
SHA1 2d7902efb24532b633f759b10a49f866f12c167e
SHA256 7bd9e110de27e299bedc48ed988329d37ed0ab3f96d8114af13a589665ef41cc
SHA512 4ca4498e833a581e298a53d30a0886e4fe1690665c146dd0a5d66eb47ab5d07e5ba8d70db309f6e8787bb9bb987805b998dc7dcc70a12baf56bd5ebe598f109a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 f2efb404dbb4465bb87e51b4f93edf61
SHA1 a301ad661dd50e914bc4cce6246f13f15cc49c7e
SHA256 5b1ef0c799b2ad72cd2bc6da50b4145115772c1bcc8d8451338b0b7184a0ec74
SHA512 35ccd0e989158528f60494a13741fcd34bf0b96982e49d1a7343b76ee1250b1099dfce81f0dc18a2ccbf1d7d9eb71aaf873f4af1a823f11c4f54f2034721730e

memory/2584-660-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-665-0x0000000000CD0000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 76a1ab5423e2620694d99935330239bb
SHA1 3c74a7eadc9e19245d6d3ff9ed70b985fec1a773
SHA256 0da2ce4972a23e24e5b80f93be0e01fe71a3a3fcde3d67229949002cb9103329
SHA512 e102693e06ced74c03e9d7ad8690dd801d98aa0a88bc880226f294ab7bb7b4bc14890b6f0472f313e54b08a6aa50bcd21377c5e9b529cc5b1a91b4f6ac1da8d1

memory/3376-697-0x0000000000400000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 3864d5fb535368c4e7743cbc048b0f40
SHA1 9b520e75f5cbda0dc7d8045ada87a8b9210d4fe1
SHA256 69200ae689a1b292ab19bb5d7a83117061daadc6e677e613d70a704ac9c962af
SHA512 52266c5f30277befcde1990ea8017ec2231f404578419a4b26d4ecb36efcd8f1ad3a4c6f776aa704cc9a6bc763c1e3d8f02ce24ab0c4694d73f61ee2c6c0d0e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 16303917d19dfee1416c415707713d76
SHA1 0e373ecc9142c77b5673efb6a0bdc016b8583642
SHA256 5319caba13770ff597ee615b59f4b7b2071da2f4727d7085dad2b417a16c8745
SHA512 58b6362f1af110e1b0b2fcf1dfbef8723b29110984ca9fb71becee344c51942abd42621081a0c2db923641c76335b4ae1e0e03eb14e22cbaddf01b37ef7af410

memory/2584-1008-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-1057-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-1214-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-1370-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-1384-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-1541-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-1731-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2584-1968-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-2012-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-2016-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-2025-0x0000000000330000-0x00000000009A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 3c3560b67bb2787da95cc641e5639e6b
SHA1 9e1cbaa33b569ef52797febc7e14ae8eeb4bad31
SHA256 f8acd6f06c435ce0660d22b5c6dacbe85ba7c7d06fd57b67f3c1c1edb9aae15b
SHA512 4a66f3cf342bd2d4637dd4d0903026873d6716d5033926fece04fa42604bae2e1ccbf556a6ad96253032c625653d3d1706d3596b7aaf0f3d1293dfcadabea398

memory/1340-2028-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-2171-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-2578-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/1340-2643-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-2739-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/1500-2742-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/2584-2746-0x0000000000330000-0x00000000009A6000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\cookies.sqlite-wal

MD5 e37dfd6a1a7eb2963506c926c2ae026b
SHA1 feea3d6cd427c3caef35c96a8359b7a94ca0ed35
SHA256 e9b8606b6fad2124eee2aaa280b16245ed9bd367616aa2a21779823d87c94243
SHA512 bb78c09402a946dbc3fef0d61fe55baba1c2c94ec085caee977fa23ffa548aa97bb6b731a09c19251c78641c185aa3ab44c5b1e7870857cc4c5ebdd161703641

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\cookies.sqlite

MD5 f1b7f826d6fa51b896dd324afda07379
SHA1 e3c10e7481e7a55c6c55f233c64798bee514cea1
SHA256 7d9d56f4aefeffb82ff8969cce9ecbe9e96974e9788b9e2d8c56d811e204c235
SHA512 d4306adab198e07d596341eb29dec18da37d91504e8d129ee507d8cdea0f6f1f5f127530f30ad58d6617537fa63e95035878a51b38e419ece881b86eddca0f84

memory/1340-2763-0x0000000000CD0000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\places.sqlite

MD5 097fa9abb2bfcfd3f3bff3f649cdaf7a
SHA1 f45ec3311f60a7efdfd2d6ce0f4b31be349f4214
SHA256 a66336e1e7a05f1becdfd0514c2b3d257c7d1564f838fc60dc5cbd158606b7c4
SHA512 19cfb100a9b39ccf12f4c072571cb467f34621808cc3337badf827791a031c53765256356475865cfdd42561f92ec28b358da5723f8795e127798a43da97109c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\places.sqlite-wal

MD5 b40497c02e9b997b6b6163beb8c83a40
SHA1 5e9e288afc396f6150ddc81f05a03cd5b79155b7
SHA256 06d740e419fd7b0e5f4ed0c2693afa00ea98d54656793ab98aa315f58ab21608
SHA512 37618bd00ae8ff33faa1c79891e0ae086b1fe995b8d0914e47532b75cd06a4afc166da15cfee5dd7e257971c2985596a38998dbc8d22e1e810aedf242c512ec3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 d6ee2b8dd5e8e42bf6527280dd7d2a60
SHA1 2cbf42793d305640e6c7f3add5a388f6a5205819
SHA256 22205bd2ce4051dbc157bf144b897ce9c00ad1be88cfe6896d08c64f88bb12ba
SHA512 a666ad9990602d352f766361042fccb74a56c169f35318d22a94f83d9f5a822eec69cc25869aa97a4d648800e22cecb23fdbf3e4abba3ee711fa06a66c9a80df

memory/2584-2775-0x0000000000330000-0x00000000009A6000-memory.dmp

memory/3376-2776-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/1340-2779-0x0000000000CD0000-0x0000000001346000-memory.dmp

memory/3376-2780-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/3376-2781-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/3376-2782-0x0000000000400000-0x00000000008AC000-memory.dmp

memory/3376-2794-0x0000000000400000-0x00000000008AC000-memory.dmp